WordPress Account Switcher Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Account Switcher plugin for WordPress, affecting all versions through 1.0.2. The issue arises in the 'rememberLogin' REST API endpoint, which improperly validates secrets by using a loose comparison. This flaw allows authenticated attackers with Subscriber-level access or higher to bypass authentication and gain administrative privileges by exploiting the endpoint's lack of proper validation and capability checks.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access and above to switch to any user account, including those with Administrator privileges, effectively granting themselves full administrative rights.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'rememberLogin' REST API endpoint with an empty 'secret' parameter. This request will bypass the secret validation and trigger the endpoint to call 'wp_set_auth_cookie()' for the targeted user, thereby switching accounts and potentially gaining administrative privileges.

Remediation

No known patch is available for this vulnerability. It is recommended to uninstall the affected plugin and find a replacement.